The threat of cyber-terrorism, where politically motivated terrorists target critical information control systems to deliberately cause harm, is high on the security agenda for many governments and organisations in charge of public infrastructure around the world.
For example, cyber terrorism was a focal point at the Australia-US ministerial meeting in Washington in April 2009. Recent media reports of serious security breaches illustrate the reason for the growing concern around this issue.
These breaches include hackers breaking into the Pentagon’s $US300 billion Joint Strike Fighter Project – a weapons programme involving the development of a new fighter aircraft. The US electricity grid network was also recently compromised, allegedly by Chinese and Russian spies.1
While the American electricity grid wasn’t damaged in this incident, the concern remains that it could be a future target, particularly in a period of political unrest.
Generally, the motivation for this type of subversion is political. The intent is to harm and spread fear to affect domestic, national or international events.
Australian Foreign Minister, Stephen Smith, indicated recently that cyber attack will remain high on Australian security priority lists.
“When I'm asked about cyber security, I don't identify one particular incident, one country, or one threat. This is an issue which Australia has made clear we address generally, and there are very strong references to the need to apply appropriate resources to protect against cyber security in our recent national security document. This is an issue which all modern nation-states confront.”
Utilities are especially vulnerable given the trend of connecting control systems that run critical infrastructure to the internet. To illustrate how simple it can be to compromise a control system, consider a 2008 incident in the city of Lodz in Poland.
The city’s tram system was sabotaged by a 14-year-old boy who hacked into their network and used it like a giant train set. This was achieved by adapting a television remote control to change track points. Chaos ensued and four vehicles were derailed. In one derailment 12 people were injured.
This is just one of 135 industry reported cyber incidents against industrial control systems around the world over the past 4.5 years.
The evolution of the internet has brought great business benefits and improved process efficiencies. Unfortunately it also exposes companies to added security risks. Approximately 20 years ago these industrial systems were closed and isolated. But in today’s world they are increasingly connected to other businesses as well as the internet.
It’s a sobering thought, but it would be fair to suggest that the majority of plants and control systems that run our critical infrastructure are vulnerable to cyber attack. Many of these organisations have not applied the same level of security thinking to protecting their systems as they do for their ICT. In some cases their websites are far more protected than the systems that run the infrastructure that nations depend on.
As another example, consider the case of the man found guilty of hacking into the Maroochy Shire, Queensland computerised waste management system in 2000, causing millions of litres of raw sewage to spill out into local parks and rivers. It took three months for authorities to pinpoint the source of the problem. Apart from the enormous cost to clean up such a mess (in this case more than $A175,000) the environmental, economic and social impacts of a compromise like this are potentially enormous, striking at the core of all levels of sustainability.
So how should businesses, utilities and government organisations respond in a world where tensions in the geo-political environment and the proliferation of terrorism have intensified cyber security risks?
Part of the arsenal to defend against malicious hackers is to employ specialised industrial control system (ICS) security services to mitigate risk. This kind of service is essential whether building a new plant or planning systems upgrades.
No silver bullet will solve ICS security issues; a trade off is needed between the system’s performance, reliability and availability, and cost. However, at the core of any security strategy is risk management.
ICS security specialists take a holistic, multi-disciplined approach by applying standards-based risk management techniques in order to identify and treat cyber risks. Solutions are based on individual threat assessments. Through a process of risk identification and categorisation, appropriate mitigating controls are selected and implemented for treatment.
Once an assessment is complete recommendations are made as to the range of controls that can be implemented, including:
- Technology
- Network architecture
- Control system configuration
- Policies and procedures
- Staff vetting
Deploying risk management to cyber security should be an intrinsic element of any architectural and design process, just as it is applied to safety and operational projects.
Over the past two years there have been approximately 27 reported cases of cyber attack against ICS. However it is a widely held view that thousands of incidents go unreported. As this article has illustrated, the potential damage from cyber terrorism means this threat demands much greater attention by many organisations.
Remember the worm
In 2003 the fastest internet computer worm in history, the “slammer” worm, was released by hackers. As it began its journey throughout the internet, it doubled in size every 8.5 seconds and infected more than 90 per cent of vulnerable hosts within 10 minutes.
The worm was released at a nuclear power plant in Ohio, USA and took command of the SCADA (Supervisory Control and Data Acquisition) system causing operators to lose control for around six hours.
At least 75,000 hosts were infected across the world. It caused network outages, cancelled airline flights, interfered with elections and caused ATM failures. Although this was quite devastating, the situation would have been worse if the slammer contained a malicious payload that completely disabled a server or network. In this instance it caused harm simply by overloading networks and taking database servers out of operation.
1 Siobhan Gorman, "Electricity Grid in U.S. Penetrated By Spies", Wall Street Journal, 8 April 2009
© Sinclair Knight Merz
Requests to re-publish achieve articles should be made via information@globalskm.com
For copyright and disclaimer notices, see Terms of Use.
Who does this affect?
Organisations that own and/or operate systems that control critical public infrastructure.
What do I need to do?
Establish comprehensive Supervisory Control And Data Acquisition (SCADA) security risk management programs in order to identify risks and develop mitigation strategies to protect critical infrastructure from cyber attack.
Author: Dr Chris Beggs & Benn Alp
Chris Beggs has a PhD in Cyber-terrorism and SCADA security. He is an industrial control systems security practice specialist at SKM.
Benn Alp is a senior ICT security risk consultant at SKM specialising in business risk and technology.
© Sinclair Knight Merz
Requests to re-publish achieve articles should be made here